Your router is probably the least maintained device in your home. You set it up, or the ISP did, and it has been sitting there ever since. A router untouched since 2020 is likely running outdated firmware, still using default credentials, and broadcasting on a security protocol researchers have already picked apart. That is not paranoia – that is just what most home setups look like from the outside.
The fixes are not complicated. They mostly take minutes, and together they form the foundation of solid home network security. Here is what to do, in the order that matters most.
1. Change your router’s default admin credentials
Every router model ships with a default admin username and password. These are publicly listed in manufacturer manuals, support forums, and dedicated lookup databases. Anyone on your network – or anyone with access if remote management is enabled – can try them.
Identifies the router model from its response headers, looks up the default credentials, and logs into the admin panel. No hacking involved – just a lookup table and a browser. The whole process takes under two minutes.
Open your router admin page at 192.168.1.1 or 192.168.0.1, go to the admin account settings, and set a unique password you do not use elsewhere. While you are there, disable remote management unless you have a specific reason to keep it on.
Changing the Wi-Fi password but leaving the router admin login as admin / admin. These are different things. The Wi-Fi password connects devices to the network. The admin password controls the router itself.
2. Switch to WPA3 encryption
WEP – still the default on some older routers – can be cracked in minutes with freely available tools. WPA2-AES is the current minimum for acceptable Wi-Fi network security. WPA3, available on most routers made after 2019, is stronger: it uses per-session encryption and resists offline brute-force attacks on your password in a way WPA2 does not.
→ Go to Wireless → Security or Advanced → Wireless Settings
→ Find “Security Mode” or “Authentication Type”
→ Set to: WPA3 – or WPA2-AES if WPA3 is not listed
# Avoid: WEP, WPA-TKIP, “Open”, or Mixed Mode with WEP included
“WPA2/WPA3 mixed mode” sounds like the best of both. It is – but it also keeps older WPA2 vulnerabilities in play. Use pure WPA3 if all your devices support it.
3. Replace the ISP-generated Wi-Fi password
The password on your router sticker is not truly random. ISPs and manufacturers often generate them from the device’s MAC address or serial number – meaning there is a pattern, and researchers have found it on several popular router models.
Knows your router model and ISP, tries algorithmically generated passwords based on visible device identifiers before doing any real brute-forcing. Publicly available tools exist for this, targeting several common ISP models.
Set a new password: 14+ characters, no dictionary words, nothing tied to your address or name. Change it any time you give a visitor access and want to revoke it – or use a guest network for visitors instead.
4. Update your router’s firmware
Your router runs an operating system, and like any software, it has bugs – some of them serious. Unlike your phone, it never reminds you to update. It just runs whatever version it shipped with while manufacturers quietly patch vulnerabilities being actively exploited in the wild.
→ Go to Advanced → Firmware Update or Administration → Update
→ Click “Check for Updates” or download from the manufacturer’s site
→ Enable auto-update if the option exists
# Router reboots after update – 2 to 5 minutes, completely normal
If your router is over five years old and the manufacturer has stopped releasing patches, no configuration change compensates for that. At that point, replacement is the honest answer.
Checking once, seeing “up to date,” and never returning. Patches come out on no fixed schedule. Set a reminder to check every three months.
5. Isolate guests and smart home devices on a separate network
The problem with one shared network is not trust – it is containment. Malware on one device can scan and reach every other device on the same subnet. A guest network runs on a separate subnet with client isolation, so a compromised device on it cannot touch anything on your main network.
Gets onto your network through a weak point – an IoT device with no updates, an infected guest laptop – then scans locally for everything reachable: NAS drives, work laptops, home servers. Without segmentation, every device is visible from every other.
Put visitors on the guest network. Move smart home devices there too – TVs, cameras, bulbs, speakers. They rarely need to talk to your computers, and their security track records are inconsistent enough that treating them as untrusted makes sense. If you also run ZoogVPN at the router level, every device on both networks gets encrypted traffic automatically – no per-device setup needed.
6. Disable WPS
WPS (Wi-Fi Protected Setup) lets devices connect via a PIN or button press instead of a password. The PIN version has a known flaw: the protocol validates each half of the PIN separately, cutting the real number of possible combinations from 100 million down to roughly 11,000. That is a fast brute-force target, and the attack has been public since 2011.
Disabling it is a one-step fix in your router’s wireless settings. You lose push-button convenience and close a hole that has been exploited for over a decade. Wireless network protection is largely about removing features like this before someone else uses them against you.
→ Toggle WPS: Off / Disabled → Save
# On some routers this is under “Advanced” or “Security” – search for WPS
7. Add a VPN at the router level
Everything above secures the boundary between your home network and the devices on it. A router-level VPN adds something different: it encrypts all outbound traffic before it reaches your ISP. Without it, your ISP can see every domain your devices connect to – even with WPA3 running correctly. The encryption WPA3 provides stops at the router; from there, the traffic goes out unprotected.
ISP-level exposure is not always a random hacker. Sometimes it is the ISP selling browsing patterns to ad networks, or a third party who has accessed upstream infrastructure. Traffic leaving your router unencrypted is readable to more parties than most people assume.
Installing a VPN on the router rather than individual devices means everything that connects is covered automatically – phones, TVs, laptops, your partner’s devices – without separate apps. ZoogVPN supports router-level setup, covers all connected devices under one account, and does not sell user data. It is the step that makes secure Wi-Fi at home mean something in full, not just on the device you remembered to install the app on.
Installing a VPN on one laptop and considering the home network covered. Every device not running it – which is usually most of them – is still sending unencrypted traffic through the ISP.
Where to start
Change the admin credentials, update the firmware, switch to WPA3. Those three steps done in an afternoon put you well ahead of most home setups and form the core of securing your home network properly. Add the guest network and disable WPS when you have another ten minutes. A router-level VPN is the step that rounds it all out – and the one most people skip, which is exactly why it matters for complete home network security.
Your router settings are sorted. Now cover the traffic that leaves it.
ZoogVPN encrypts everything going out of your home network – all devices, no app required on each one. Free plan available, no logs, no data selling.
- Diana BestaievaContent Writer at ZoogVPN. Diana deeply explores the newest technologies and shares valuable insights engagingly and comprehensively. Keeping up with the tech news, she makes in-depth content, explaining complex concepts with ease.
